Archive for January, 2016

Humans aren’t very good drivers. We’re unable to watch everything that’s going on around us at all times, we’re easily distracted, and many of us seem utterly incapable of putting the cell phone down even when we’re driving. Not surprisingly, especially when you consider the number of vehicles on the road, a lot of collisions happen every day. The State benefits from this because it has create numerous laws that allow it to rake in cash when people crash into one another but do fuck all for safety. Fortunately the market is here to help and it doesn’t even need a gang of armed agents to shoot our pets:

In what may not come as a surprise, vehicles with automatic braking systems are involved in rear-end crashes (that is, accidents in which a vehicle hits a car directly in front of them) at lower rates than vehicles not equipped with the systems, says the Insurance Institute for Highway Safety, or IIHS.

According to the IIHS research, equipping vehicles with both warning and autobraking systems reduced the rate of rear-end crashes by 39 percent and rear end crashes with injuries by 42 percent. That’s an overall reduction in crashes by 12 percent and a reduction in injury crashes by 15 percent.

Machines can be far better drivers than humans. With the right sensors they can watch everything that’s going on around them, they don’t get distracted, and they can multitask so sending information over a cellular connection doesn’t hinder their ability to drive. Adding automation to automobiles has been improving safety since, at least, power brakes became a thing. As the amount of tasks an automobile can do itself increases we will likely continue to see a correlating increase in safety.

What’s beautiful about these safety systems is that they don’t require the threat of violence to create. I’m sure the State will take credit for these automated breaking systems by making them mandatory but the State didn’t invent them, the market did. Automobile manufacturers have voluntarily developed these systems to make their vehicles safer and therefore, they hope, more appealing to customers.

Meanwhile the State will continue passing laws to needlessly change the roadways and highways, make more things a finable offense, and other such nonsense under the false claims of increasing safety while really increasing its revenue.

Setting aside the severe privacy implications of pervasive police body cameras the biggest issue is that the police remain in sole control of the devices and data. Even in cities that require police to wear body cameras I still urge people to record any and all police interactions they’re either a party to or come across. When individuals record the police the footage isn’t in the polices’ control so there are barriers that make it more difficult for them to use it to prosecute somebody. Footage recorded by individuals is also more resilient to the body camera memory hole:

When the only footage of a police encounter comes from a police controlled device it’s a simple matter for the officer to disable it. The best way to counter such a threat is to record police interactions yourself.

Most people carry smartphones, which usually come equipped with a decent camera. You can use the builtin video recording app but there are better options in my opinion. A friend of mine who spends a lot of time recording the police uses and recommends Bambuser. The American Civil Liberties Union has region specific apps for recording the police. Both options are good because they upload the video to a remote server so a cop cannot destroy the footage by confiscating or destroying your recording device.

Police body cameras sound like a great idea on paper but as with most things in life if you want something done right you should do it yourself.

Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive cameras. It retains location data on each of those pictures, and sells it.

It’s happening right now in nearly every major American city.

The company has taken roughly 2.2 billion license-plate photos to date. Each month, it captures and permanently stores about 80 million additional geotagged images. They may well have photographed your license plate. As a result, your whereabouts at given moments in the past are permanently stored. Vigilant Solutions profits by selling access to this data (and tries to safeguard it against hackers). Your diminished privacy is their product. And the police are their customers.

The company counts 3,000 law-enforcement agencies among its clients. Thirty thousand police officers have access to its database. Do your local cops participate?

One of the biggest risks of corporate surveillance is the collected data, either through sale or warrant, ends up in the hands of the State. While I have no real concerns about Facebook using my social graph to justify sending armed goons to kidnap me I do have concerns about judge granting a warrant to a law enforcement agency to obtain that data as a justification for kidnapping me.

In my position as a discount security advisor to the proles one of the hardest challenges I face is convincing people how important security is. Most people assume they have nothing to hide. They usually claim they won’t lose anything of importance if an unauthorized party gains access to their online accounts. I can’t remember how many times I’ve heard, “If they get into my Facebook they’ll just learn how boring I am.”

Even if you are the most boring person in the world, preventing unauthorized persons from accessing your accounts is critically important. Failing to do so can lead to severe real life ramifications:

In one nasty spurt in May, a hacker gained control of Amy’s Twitter account, which she had used only twice before, and posted a series of racist and antisemitic messages. (See if you can tell where Amy’s tweets end and the hacker’s begin in the timeline below.)

That same day, a hacker used Amy’s email account to post a message to a Yahoo Groups list of about 300 residents of the Straters’ subdivision, including many parents of students at the elementary school that the family’s youngest daughter attends. According to local news reports, the message carried a chilling subject line—“I Will Shoot Up Your School”—and detailed a planned attack on the school. Oswego police quickly verified that Amy’s account had been hacked and that the message was a hoax, but the damage had been done.

Later that day, Amy discovered that her LinkedIn profile had been hacked, too. The hacker posted a message calling her employer, Ingalls Health System, “A TERRIBLE COMPANY RAN [sic] BY JEWS.”

Amy, who had worked at Ingalls for seven months as a director of decision support, had suspected that the trolls might target her employer. She says she had previously alerted the company’s IT department that the company’s systems might be compromised by the same people who were attacking her and her son.

She expected support—after all, if it was her house that was being repeatedly robbed, rather than her social media accounts, wouldn’t the company be sympathetic? But none came. Shortly after the hack, Ingalls fired Amy from her six-figure job, giving her 12 weeks of severance pay. Amy says she got no satisfactory explanation for her dismissal, other than a hint that she was “too much of a liability.” (A spokeswoman for Ingalls Health System declined to comment.)

[…]

She hasn’t been able to get another job in hospital administration because for months, her first page of Google results has included her LinkedIn profile and her Twitter account, both of which were filled with racist and anti-semitic language. (She recently regained access to her LinkedIn account after contacting the company’s fraud division, but her defaced Twitter account is still up, since the attacker changed the password to prevent her from restoring it.)

I won’t lie to you and claim proper security practices will thwart a dedicated attacker such as the ones praying on the Straters. What proper security practices will do is make you a harder target. The cost of attacking you will go up and when it comes to self-defense, whether it’s online or offline, the goal is to raise the cost of attacking you high enough to dissuade your attackers. If you can’t dissuade your attacker entirely you can still reduce the amount of damage they cause.

Twitter, Yahoo, Google, LinkedIn, Facebook, and many other websites now offer two factor authentication. Two factor authentication requires both a password and an additional authentication token, usually tied to a physical device such as your phone, to log into an account. Enabling it is a relatively easy way to notably raise the cost of gaining unauthorized access to your accounts. If nothing else you should make sure your primary e-mail account supports two factor authentication and that it is enabled. E-mail accounts are a common method used by websites to reset passwords so gaining access to your e-mail account often allows an attacker to gain access to many of your other online accounts.

I also recommend using a password manager. There are many to choose from. I use 1Password. LastPass is still a managed I’m willing to recommend with the caveat that I don’t trust the new owners and therefore am wary of it as a longterm solution. Password managers allow you to use a unique, complex password for each of your accounts. If you use a common password for all of your accounts, which is a sadly common practice, and an unauthorized party learns that password they will have access to all of those accounts. Using a password manager allows you to limited damage by securing accounts with complex passwords that are difficult to guess and ensures an unauthorized party cannot gain access to any additional accounts by learning the password to one of them.

I must note that there is the potential threat of an unauthorized party compromising your password manager. In general the risk of this is lower than the risks involved with not using a password manager. There are also ways to mitigate the risk of unauthorized parties gaining access. LastPass, along with many other online password managers, supports two factor authentication. 1Password syncs passwords using iCloud or Dropbox, both of which support two factor authentication. You can also disable syncing in 1Password entirely so your password database never leaves your computer. LastPass, 1Password, and most other password managers also encrypt your password database so even if an unauthorized party does obtain a copy of the database they cannot read it without your decryption key.

Using two factor authentication and a password manager are by no means the only actions you can take. I mention them because they are simple ways for the average person to bolster the security of their online accounts quickly.

Nothing I’ve described above will protect you from social engineering attacks. Due to the lack of authentication inherent in many systems it’s still possible for an attacker to send the police to your home, order pizzas to be delivered to your home, call your employer and harass them enough to convince them to fire you, sending anonymous bomb threats in your name, getting your utilities disconnected, etc.

What I’ve described can reduce the risks of an attacker gaining access to your social media accounts and posting things that could cost you your job and haunt you for the rest of your life. And regardless of what most people believe, keeping attackers out of these accounts it important. Failure to do so can lead to dire consequences as demonstrated in the linked story.

In most professions the opinions of those who lack an understanding of a pertinent topic are rightfully ignored. Why would anybody waste time asking somebody who knows nothing about software development about the best method to implement a software feature? But the legal field is not most professions. In the legal field you can lack an understanding of a pertinent topic and still be taken seriously as proven time and again when a judge attempts to rule on a case involving technology:

In short, Judge Byran, despite hearing the views of those who took part in the investigation, and having read the briefs submitted by the defense and prosecution several times, could not fully grasp what the NIT was doing.

“If a smart federal judge still has trouble understanding after hours of expert testimony what is actually going on,” then the average judge signing warrant applications has little hope of truly understanding what the FBI is proposing, Nate Wessler, staff attorney at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview. (The ACLU has agreed to a protective order for the Michaud case, allowing it access to the sealed filings.)

“It appears in this case, and that’s consistent with other cases we’ve seen elsewhere in the country involving use of malware, the government explanations and warrant applications are quite sparse, and do not fully explain to judges how these technologies works,” Wessler added.

As the hearing continued, Judge Byran said “I suppose there is somebody sitting in a cubicle somewhere with a keyboard doing this stuff. I don’t know that. It may be they seed the clouds, and the clouds rain information. I don’t know.”

Emphasis mine. The judge openly admits that he doesn’t know how the Federal Bureau of Investigation’s (FBI) malware works and further emphasizes this fact but saying something entirely nonsensical. In almost any other profession the judge’s rambling would have been dismissed but in the legal profession his ruling, even though he has no idea what he’s ruling on, is respected.

This is yet another item in a long list of problems with the United States legal system. The fate of accused parties is being put into the hands of individuals who are entirely unqualified to make the decisions they’re tasked with making. As soon as Judge Byran said he didn’t know what was going on he should have been replaced by somebody qualified. In any other profession he would have been. But a judge’s power is more important than their knowledge in the courtroom. How anybody can look at such a system and claim it dispenses justice is beyond me.

The United States has a very proud history of punishing its heroes. William Binney had armed goons storms his home and kidnap him because he revealed rather concerning National Security Agency’s (NSA) programs. When Chelsey Manning revealed war crimes being committed by the United States military she ended up in a military prison. Edward Snowden is still in exile for revealing the NSA’s illegal surveillance operations. Now the United States government is going after the man who revealed the corruption in the Foreign Intelligence Surveillance Court:

A former Justice Department lawyer is facing legal ethics charges for exposing the President George W. Bush-era surveillance tactics—a leak that earned The New York Times a Pulitzer and opened the debate about warrantless surveillance that continues today.

The lawyer, Thomas Tamm, now a Maryland state public defender, is accused of breaching Washington ethics rules for going to The New York Times instead of his superiors about his concerns about what was described as “the program.”

Tamm was a member of the Justice Department’s Office of Intelligence Policy and Review and, among other things, was charged with requesting electronic surveillance warrants from the secret Foreign Intelligence Surveillance Court.

The District of Columbia Court of Appeals Board of Professional Responsibility said Tamm became aware in 2004 that certain applications to the FISA Court for national security surveillance authority “were given special treatment.“

Isn’t it ironic how the State keeps urging whistleblowers to come forth if their information is related to a private organization but prosecute any whistleblower who comes forth with information about government corruption? If a whistleblower can lead the government to some wealth to steal it is grateful but when its dirty laundry is aired it becomes angry and violent.

There’s a lot of bad self-defense advice out there but very little of it is as harmful as telling women they shouldn’t defend themselves. I can only imagine this advice was started by some misogynist piece of shit who viewed women as such lesser creatures that they couldn’t possibly defend themselves against a big, strong man such as himself. It’s likely this asshole also had fantasies about teaching any woman who resisted him a lesson so believed it would be safer for women being attacked to just lie back and think of England.

However this crap started it has cumulated in to terrible, harmful advice such as telling women to “be realistic” about their ability to protect themselves, which is a euphemism for telling women they’re incapable of defending themselves against big, strong men so they can only resort to pissing themselves to dissuade rapists.

As a matter of fact, research conducted since the 70ies has consistently shown that fighting back is actually the most effective strategy to thwart sexual assaults.

Studies such as Kleck & Tark(2005) or Reekie & Wilson(1993) or Ullman & Knight (1992), indeed show that women who respond with physical and verbal resistance to the offender’s violent attack significantly reduce the probability that a rape would be completed.

Fighting back may not work 100% of the time (nothing does) but it works most of the time.

Criminals, by and large, are opportunists. They seek to fulfill their wants with the least amount of effort possible. Like any predatory animal they try to identify the weakest prey. That means they seek the unaware, the physically unimposing, and the ones unwilling to fight back. When a criminal discovers their prey is very much willing to fight back they often disengage.

If you’re attacked always fight back and give yourself as much advantages as you can. Take some self-defense courses or better yet dedicate yourself to the study of a martial art. And if at all possible carry a weapon. I highly advise carrying a firearm since they are the most effective tools for self-defense but if you’re unwilling or unable to do that there are alternatives.

We truly live in wondrous times. At one time people held inconvenient beliefs about people being innocent until proven guilty by a jury of 12 impartial individuals. Today is a simpler time where most cases never go to trail. Instead the State merely coerces accused individuals into admitting guilt:

The presumption of innocence helps to combat prejudice and prejudging in the U.S. criminal justice system. But because plea bargains have supplanted trials in our criminal justice system, that presumption does not apply to most cases in the United States.

[…]

Unfortunately, the system that is described by our school teachers and that Americans see on television and in the movies is now defunct. Jury trials are now rare events in the United States. In fact, about 95 percent of the cases moving through the system will not go to trial. The overwhelming majority of cases will be resolved by plea bargains.

In a plea bargain, the prosecutor typically offers the defendant a reduced prison sentence if he agrees to waive his right to a jury trial and admit guilt in a brief hearing before a judge. Prosecutors use their power to pressure people who have been accused of a crime, and are presumed innocent, to waive their right to a trial and admit guilt.

We know this is true because prosecutors admit that this is what they are doing. The Supreme Court has approved these prosecutorial tactics in the landmark 1978 case, Bordenkircher v. Hayes. By a close 5-4 vote, the court said there was no constitutional problem with pressuring the accused to waive his trial and admit guilt. According to the court, there is no illegal coercion “so long as the accused is free to accept or reject the prosecution’s offer.”

The article touches on the folly of this system but I want to make another important point.

A person accused of a crime isn’t involved in a fair game. From the very beginning of a case, where the accused is arrested, the deck is stacked against them. Cops can lie to them but they can’t lie to the cops. So the accused is at an immediate information disadvantage because the cops and lie about evidence, witness testimony, and other things that can make a charge look hopeless to fight. Prosecutors have the right to threaten an accused with decades of prison time whereas the accused has no right to threaten the prosecutor with, say, a retaliatory lawsuit if it’s later found out that they’re innocent. In addition to that it’s also not uncommon for an accused party to front their legal defense fees even if they are found innocent.

The deal presented to the accused party isn’t fair by any sane definition. No matter what avenue they choose they’re at a major disadvantage. Admitting guilt and taking the lesser sentence seems like a good choice when the alternative is a longer sentence and tremendous legal defense fees. Especially when, as far as the accused knows, the evidence against them is thoroughly damning.

A legal system that favors one side over the other cannot be considered an engine for justice. It is merely a formality that allows the advantaged side to declare its actions just when it crushes the disadvantaged side.

The State is no different than any other thief. It’s an opportunist that preys on the most vulnerable. An incredible example of this is Denmark’s parliament:

The Danish parliament has backed a controversial proposal to confiscate asylum seekers’ valuables to pay for their upkeep.

[…]

Under the new law, refugees entering the country will only be allowed to keep possessions up to a value of about 10,000 kroner (1,340 euros; £1,000) – a figure raised from 3,000 kroner following objections.

Seldom is the State this brazen in its theft. Usually it wraps its actions in euphemisms such as taxes, citations, and civil forfeiture. The State also avoids openly targeting the vulnerable but in this case it is making an exception.

What makes this blatant theft worse is that many people seem to support it. Supporters of this crime claim that it’s a legitimate way for the refugees to offset their burden on society. This, like any other claim justified by nonsensical collectivism, is bullshit.

Let’s address the very premise that there is a burden on society. Why would people living in Denmark have to foot the bill for refugees entering the country? Because the State has a gun to their heads demanding they do so. Taxes aren’t increased because refugees are entering the country. Taxes are increased because the State has yet another means to justify increasing its rate of theft. The refugees aren’t the problem, they’re merely the excuse used by the problem.

Refugees are entirely without fault in this mess. They have every right to cross the imaginary line claimed by the biggest gang in Denmark as its territory. That gang has no legitimate claim to the land so nobody is in the wrong for crossing into it. None of the refugees are stealing wealth from the people already living in Denmark. All of the theft is being performed by the Danish government.

It’s a day ending in “y”, which means somebody in the technology community has to be butthurt over all the mean nasty things the big evil social justice warriors are saying. Today’s outrage is brought to us by an anonymous developer who is really unhappy with pushes to include codes of conduct as part of open source projects:

Religious wars in software used to be about a fat bearded man named He-macs wrestling a pencil-neck named Vimmy over what text editor to use, but now FOSS devs are concerned about making sure marginalized human beings feel “welcome,” as if someone was trying to physically block newcomers. That opens the door to social justice and other buzzwords that prigs use to feel better about themselves, and utopian visions documented in “Codes of Conduct,” or CoC.

The sentiment behind a CoC is that there is no excuse for being an ass, which sounds great until you realize that only a select few people get to decide who’s an ass. So when open source leaders want to stop you from doing free work they can pretend that its your fault for violating their code instead of admitting they never really wanted to include just anybody. They’ve managed to make exclusivity look inclusive, and it makes me crazy that so few people see that.

To read the developer’s screed you’d think the concept of codes of conduct is something new cooked up by social justice activists to marginalize the old hats in the open source community. But codes of conduct are nothing new, in fact we all live with them every day. And pushing for codes of conduct that forward your interests is also nothing new.

For example, do you wear pants when you go out in public? I’m guessing, unfortunately, most people reading this will answer yes. Wearing pants in public is the norm. Why is that? Because it’s a code of conduct that most people have decided to abide by.

Here’s another example, when you walk into a lecture do you immediately start screaming obscenities at the speaker? Most people reading this will probably answer no. When you attend a lecture it’s the norm to shut the fuck up until the speaker is ready to take questions. This is another code of conduct that most people have decided to abide by.

Getting more specific than that, most employees sign an agreement when they take on a job that includes, amongst other things, a code of conduct. Such novel ideas that are commonly included in these agreements are prohibitions against sexually harassing co-workers, showing up on time, and expectations that you won’t be a raging asshole when caught in a disagreement with co-workers.

None of the above mentioned codes of conduct are set in stone either. They’re constantly subject to change based on the desires of a vocal subgroup within the overall community. I know a lot of programmers that have spent countless hours bitching about companies that require employees to dress business casual. These programmers want to show up in their jeans, t-shirts, and hoodies. By and large they have succeeded as the generally acceptable attire for working in the field of software development has become more lax.

Codes of conduct within societies have also changed (and do so about once per generation). The attire most men and women wear today would have been considered almost entirely unacceptable merely a generation or two ago. Our grandparents probably think men today dress like slobs and women dress like whores. Today less than a suit and tie is generally considered acceptable attire for a man in public just as a dress that doesn’t come down to the ankles is considered acceptable attire for a woman in public.

Another societal code of conduct that has changed over the last generation or two is the acceptable use of force. Not too long ago it was considered somewhat acceptable to deck a guy who was acting like a complete asshole. If the person who was hit complained response they would have received would have been some variation of, “You asked for it.” Today almost any use of force can result in assault charges and/or civil lawsuits.

Now people are trying to introduce certain codes of conduct into open source projects. This shouldn’t be surprising to anybody since the number of software developers is increasing and that increase is carrying a lot of diversity that didn’t previously exist. As is common in such situations the old guard and the new guard aren’t seeing eye to eye. Both sides want things to be a certain way and they’re arguing passionately over their differences. In all likelihood things will end up shaking out somewhere in the middle.

So what can you do if you don’t want to be effected by these changes? The same thing people throughout history have done when they didn’t want to be effected by changes, break off and do your own thing. If you work on your own project or for your own business you can set whatever rules you like. What’s that you say? You don’t want to? Tough shit. When you work for somebody, whether it’s for free on an open source project or for pay at a business, you have to play by the rules set down by the higher ups. The only way you can truly play by your own rules is to be your own boss.